rn wrote:
i am currently developing a web application, that is working with http. In order to send sensible user information (passwords) to a database using XMLHttpRequest i want to do it via https.
From the user's perspective, this is just as insecure as if you sent it with http, since an attacker can replace your http page with his own and send the https request to his own server.
My browser (Firefox 1.5.0.6) tells my in that case, that access to XMLHttpRequest.open is denied.
XMLHttpRequest does a same-origin check. Different protocols means different origins.
Is there a way to bypass this problem?
Serve all the things involved via https.
Why is the same host using different protocols (http vs. https) considered to be different?
Because generally it is; for example you could have different web servers running on the different ports. Not to mention the little security problem I mentioned abo
I found an (ugly) solution using an iframe
Which is also insecure for the same reasons. -Boris _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
